This discussion is archived
2 Replies Latest reply: Jan 15, 2013 2:00 PM by Soy PeopleSoft en Español RSS

HTTPOnly on Cookies

Soy PeopleSoft en Español Newbie
Currently Being Moderated
The security group of my company perform a web security scan (with WebInspect ), and they found that Set-Cookie does not use HTTPOnly Keyword, and they send me a list of the urls that they find with this vulnerability (In fact, all pages of my Global Payroll Application doesn't use this 'feature' ). I think that this "feature" is on the WebServer, I'm using PeopleTools 8.49.30 And WebSphere 6.1.0.23 ( I try to find where to activate, but I didn't find ). Dou you know How I can enable this "feature" ?
  • 1. Re: HTTPOnly on Cookies
    Andres_Caro Pro
    Currently Being Moderated
    Hi,

    you can see the document ID "ID 985574.1" on Oracle Support to know the answer:

    This is fragment of the document:


    "PeopleSoft PIA does not support HTTPOnly for cookies. Enhancement request Bug:11521341 has been created with development to request this feature in a future PeopleTools release. This document will be updated when and if this enhancement becomes part of a tools release. As of now, it is still not part of PT 8.52."

    It could be implemented on PT 8.53 but you have to wait until the next year...

    Regards,
  • 2. Re: HTTPOnly on Cookies
    Soy PeopleSoft en Español Newbie
    Currently Being Moderated
    Andres: A lot of thanks for you Anwser.

    I found that there some APAR for WebSphere that can solve this, but I need ti Upgrade my WebServer to a new version that is not certificate by oracle. But anyway I already download the Doc Id and I use like a Support at my Audit.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points